A significant change to Australia’s data security legislation is heading our way in 2018. Here’s a quick rundown on what you need to know and do to prepare.
What’s the change?
A mandatory data breach notification scheme is being introduced that requires businesses and government agencies to notify the Privacy Commissioner and customers if there is a data breach.
Who needs to comply?
Any organisation governed by the Privacy Act. This excludes state government organisations, local councils and organisations with a turnover of less than $3 million per year.
What is an eligible data breach?
According to the official website:
- Any data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
- A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
What action must be taken if there is a breach?
If a suspected data breach occurs, you must undertake an assessment within 30 days. If it is determined to be a breach, you must notify the Privacy Commissioner and affected individuals about the breach, including your company’s name and contact details, a description of the breach, the kinds of information involved, and recommended actions those affected should take to protect themselves.
What happens if I don’t comply?
The penalties for failure to notify include fines of $360,000 for individuals and $1.8 million for organisations.
What should I do to prepare?
If you’re not already serious about data security, now is the time. Preparation may include:
- Reviewing your practices, procedures and systems for securing personal information.
- Reviewing the security measures of your partners and suppliers, including those involved in outsourced IT asset management services.
- Update or create a data breach response plan so that you can respond quickly, effectively, and in full compliance.
- Educate staff and create a culture of data security and protection. It’s no longer just an IT responsibility, but affects many departments and employees, such as those in marketing.
- Take expert advice, including from legal advisors, on the suitability of your employment and business contracts and NDAs.
And finally, when you are disposing of end-of-life IT assets, make sure you work with a supplier like Greenbox who has the highest security measure in place, along with a full understanding of the new legislation.